Malware is short for “malicious software” and is a term used to refer to any software designed to infiltrate or damage a computer system without the owner's consent. Malware includes computer viruses, worms, trojans, rootkits, adware, spyware and any other malicious and unwanted software.
When a computer device is infected by malware, most often in the form of a program or other executable code, the user may notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system crashes. Even if a malware infection does not cause a perceptible change in the performance of a device, the malware may be performing other malicious functions such as monitoring and stealing potentially valuable commercial or personal information, or hijacking a device so that it may be exploited for some illegitimate purpose.
Many end users make use of security and anti-virus software to detect and possibly remove malware. An example application is F-Secure™ Internet Security produced by F-Secure Corp., Helsinki, Finland. In order to detect a malware file, an anti-virus application must have some way of identifying it from amongst all the other clean and trusted files present on a device. Typically, this requires that the anti-virus software has a database containing “signatures” or “fingerprints” that are characteristic of individual malware files. When the provider of the anti-virus software identifies a new malware threat, the threat is analysed and a unique signature is generated. The malware is then classed as “known” and its signature can be distributed to end users as updates to their local anti-virus application databases, typically by distribution over the Internet.
Anti-virus applications may also make use of a database containing signatures of trusted files. These trusted files are those files published or authored by trusted sources. For example, those files that make up a piece of software distributed by a reputable software provider could be considered to be trustworthy such that, provided such files have not been modified since their publication/release, these files need not be scanned for malware. Only the suspected files need to be scanned.
Signature scanning is only one of the “weapons” available to providers of anti-virus applications. For example, another approach, commonly used in parallel with signature scanning, is to use heuristics (that is rules) that describe suspicious behaviour, indicative of malware. This is particularly relevant to detect a “Zero-day” exploit, which has not yet been identified by the anti-virus providers and for which no virus signature has been generated and distributed. Heuristics can be based on behaviours such as Application Programming Interface (API) calls, attempts to send data over the Internet, etc. Typically, heuristics may be combined, e.g. if target has feature 1 and feature 2 then it is malicious, or thresholds set, e.g. if target has more than 10 features it is malicious, in order to reduce the risk of false alarms.
A particular problem is the ability of malware to hijack trusted applications such as Microsoft™ (MS) Office Suite, Adobe Acrobat Reader/Writer™, and web browsers. One of the ways to achieve this is the so-called “buffer overflow attack”. The buffer overflow attack is an attack in which malware causes an otherwise trusted application to write information into a buffer which exceeds the actual size of the buffer causing a buffer overflow. This may cause the programme to crash and, when the programme restarts, the attacker's code is executed instead of the program's valid process code. When executed, the attacker's code might, for example, open a communication channel to a malicious website from which further malware is downloaded and executed.
Of course, once a particular piece of malware that hijacks trusted programmes has been identified by the anti-virus provider, a signature may be generated and distributed to client devices. However, this may not always be effective, e.g. in the case of so-called “polymorphic” viruses which are able to mutate whilst maintaining the basic malware algorithm intact. Heuristic approaches remain significant for detecting such malware, and of course more importantly for detecting zero-day malware. Providers are continuously seeking to improve upon existing heuristic-based detection engines.